Passkey Account Create policy
The Passkey Account Create policy enables users to create new accounts for themselves. This policy uses the ReCAPTCHA mechanism to verify that the requests originate from a human and an email OTP to ensure that a valid email address is being used. Where possible, passkey enrollment is offered to users as the first factor authentication method instead of the traditional password.
Account Create setup
- Ensure that the Prerequisites steps are completed.
- Enable SCIM Verify Access User.
- Log in to the local management interface.
- Click AAC.
- Under Manage, click SCIM Configuration.
- Click Verify Access User.
- Check Enable Verify Access Integration.
- Select the SCIM server connection from the Verify Access User Registry dropdown.
- Check Update Native Users.
- Configure the reCAPTCHA Verification mechanism. See Configuring the reCAPTCHA Verification authentication mechanism.
- Configure the email OTP delivery mechanism to be used in the Account Create authentication policy.
- Log in to the local management interface.
- Click AAC.
- Under Policy, click Authentication.
- Click Mechanisms.
- Click Email One-time Password.
- Click Edit.
- Select the Properties tab and configure the connection to the SMTP server.
- Configure a FIDO2 Relying Party.
- Log in to the local management interface.
- Click AAC.
- Under Manage, click FIDO2 Configuration.
- Enter a Display Name and Relying Party ID.
- Click Next.
- Click Save.
- Click AAC.
- Under Policy, click Authentication.
- Click Mechanisms.
- Click FIDO2 WebAuthn Registration.
- Click Edit.
- Select the Properties tab and configure the Relying Party Config ID.
HTML templates
- authsvc/usc/passkey/collect_email.html
- authsvc/usc/passkey/collect_password.html
- authsvc/usc/passkey/collect_profile.html
- authsvc/usc/passkey/email_otp.html
- authsvc/usc/passkey/passkey_reg_decision.html
- authsvc/usc/passkey/success.html
- static/css/usc/passkey.css
- static/scripts/usc/passkey/collect_email.js
- static/scripts/usc/passkey/collect_password.js
- static/scripts/usc/passkey/collect_profile.js
- static/scripts/usc/passkey/email_otp.js
- static/scripts/usc/passkey/passkey_reg_decision.js
- static/scripts/usc/passkey/success.js
JavaScript Mapping Rules
- USC_Common
- USC_Passkey_CollectEmail
- USC_Passkey_CollectPassword
- USC_Passkey_CollectProfile
- USC_Passkey_Reg_Decision
- USC_Passkey_Success
Creating a new account workflow
The Passkey Account Create authentication policy enables users to create new accounts with the following workflow.
- The user accesses the Passkey Account Create policy.
- On this screen, the user is prompted to enter an email address and CAPTCHA.
- The template page that is presented is authsvc/usc/passkey/collect_email.html.
- The JavaScript that pre-populates the form and validates responses is USC_Passkey_CollectEmail.
- On the next screen, the user is prompted to enter an OTP.
- The OTP is delivered by an email.
- The template page that is presented is authsvc/usc/passkey/email_otp.html.
- On the next screen, the user is presented with the enrollment form.
- The template page that is presented is authsvc/usc/passkey/collect_profile.html.
- The JavaScript that pre-populates the form and validates responses is USC_Passkey_CollectProfile.
- On the next screen, if the browser has user-verifying platform authenticator (UVPA) capability, the user is prompted to enroll a passkey.
- The template page that is presented is authsvc/usc/passkey/passkey_reg_decision.html.
- The JavaScript that prompts the user to enroll is USC_Passkey_Reg_Decision.
- If the user chooses to enroll a passkey, the user is directed to the FIDO2 WebAuthn Registration mechanism.
- If the user chooses to skip passkey enrolment, and the user did not enter a password on the collect password page, the user is prompted to enter a password.
- The template page that is presented is authsvc/usc/passkey/collect_password.html
- The JavaScript that pre-populates the form and validates responses is USC_Passkey_CollectPassword
- On the next screen, the account success page is presented.
- The template page that is presented is authsvc/usc/passkey/success.html
- The JavaScript that pre-populates the template and ends the policy is USC_Passkey_Success